I had some issues when compiling without the "no-asm" option; this can probably be fixed with configuring the right paths. I haven't dug into getting the performance gain since I was focused on resolving the bad record mac error. If it seems related to the issue, then I can work on getting it compiled without the "no-asm" option.
Here is the output from cl: Microsoft (R) C/C++ Optimizing Compiler Version 17.00.51106.1 for x86 Thanks, Sunil On Sat, Mar 15, 2014 at 8:55 AM, Dr. Stephen Henson [via OpenSSL] < [email protected]> wrote: > On Fri, Mar 14, 2014, Sunil wrote: > > > I have OpenSSL 1.0.1f built with OpenSSL-FIPS-2.0.5 using VS2012 and I > have > > gone past the issue with fingerprint mismatch using the compiler flag > > /DYNAMICBASE:no for both MFLAGS and LFLAGS. However, when using the tool > > openssl.exe (with OPENSSL_FIPS=1 in the env) in client-server mode > > (s_server/s_client) I am seeing the following error during the TLS > > handshake: > > > > 3060:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or > bad > > record mac:.\ssl\s3_pkt.c:484: > > > > I am using commands like below: > > > > openssl s_server -accept 443 -key <key> -keyform PKCS12 -pass <pass> > -tls1_2 > > -cert <cert_file> -certform PEM -no_dhe -no_ecdhe > > > > openssl s_clent -connect <server_ip>:443 -tls1_2 > > > > Note: > > > > 1. I have built openssl & fips module with no-asm option > > 2. I have tried suggestions on using OPENSSL_ia32cap (I am not sure if > it > > makes sense because I used no-asm) with no change in the end result. > > 3. I have also tried disabling all other versions of TLS and SSL v2 &v3. > > 4. I have verified the communication using Wireshark & Openssl option > -msg > > -debug -state: ClientHello & ServerHello complete and client sends the > > ChangeCipherSpec and that's when Server responds with bad record mac. > > > > PS: On Linux, with the same version of OpenSSL & FIPS used, I did not > see > > any error in the handshake; provided both server & agent are using the > > openssl compiled for Linux. If I replace any end with a OpenSSL running > on > > Windows, I get the bad record mac error. > > > > Any help/suggestion on resolving this issue is greatly appreciated. > > > > If you use "no-asm" you'll get considerably reduced performance and no > tested > Windows platform has used "no-asm". So I'd suggest you don't include that > option. > > What version of the compiler are you using? Try "cl" from the command > prompt. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [hidden > email]<http://user/SendEmail.jtp?type=node&node=48855&i=0> > Automated List Manager [hidden > email]<http://user/SendEmail.jtp?type=node&node=48855&i=1> > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://openssl.6102.n7.nabble.com/FIPS-capable-OpenSSL-on-windows-failing-with-bad-record-mac-failure-in-a-TLSv1-2-handshake-tp48853p48855.html > To unsubscribe from FIPS capable OpenSSL on windows failing with bad > record mac failure in a TLSv1.2 handshake, click > here<http://openssl.6102.n7.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=48853&code=c2hydXN1bkBnbWFpbC5jb218NDg4NTN8OTczMzQ2OTM1> > . > NAML<http://openssl.6102.n7.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-capable-OpenSSL-on-windows-failing-with-bad-record-mac-failure-in-a-TLSv1-2-handshake-tp48853p48856.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
